Marriott said it was alerted on September 8 that there had been an attempt to hack their reservation database in the United States.
The company discovered "that there had been unauthorised access to the Starwood network since 2014" which compromised personal and financial information.
The probe found "an unauthorised party had copied and encrypted information and took steps towards removing it."
After decrypting the information, the company found on November 19 "that the contents were from the Starwood guest reservation database."
Hotel brands in the Starwood network include Sheraton, Westin, Four Points and W Hotels.
"We deeply regret this incident happened," Marriott chief Arne Sorenson said in a statement. "We fell short of what our guests deserve and what we expect of ourselves."
Marriott said hackers accessed information like names, addresses and dates of birth from most of the affected customers but could not rule out that they were able to access some encrypted credit card information.
The company said it would reach out to victims of the hack and is offering support to those affected including free, one-year enrollment in WebWatcher a service which monitors internet sites where personal data is shared.
Marriott also is working with law enforcement and security experts to tighten security on its system.
"Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network," Sorenson said.
It is the latest case of massive breaches that compromise personal data and can cause years of headaches for victims, who often face serious legal and financial repercussions.
The company said it would reach out to victims of the hack and is offering support to those affected